The PHP development team would like to announce the immediate availability of PHP 5.2.14. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related.

This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

The packages for Debian “Lenny” are now available on Dotdeb.

Of course, you’re advised to read the full announcement and the Changelog before upgrading.

Thanks (again) to Stefan Esser and the Month of PHP security for improving PHP.

Feel free to Flattr this post at flattr.com, if you like it.

The PHP development team would like to announce the immediate availability of PHP 5.3.3. This release focuses on improving the stability and security of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users are encouraged to upgrade to this release.

The packages for Debian “Lenny” are now available on Dotdeb on the usual repository.

Of course, you should read the full announcement, the PHP 5.3 migration guide and consult the Changelog.

Caution : (to PHP-FPM users) with the inclusion of PHP-FPM in the PHP 5.3 core, the syntax of the configuration file (/etc/php5/fpm/php5-fpm.conf) has changed. It switched from a XML syntax to an INI one. Please prepare your new configuration file before upgrading, by reading carefully the PHP documentation and this page.

And thanks to Stefan Esser and the Month of PHP security for improving PHP.

Feel free to Flattr this post at flattr.com, if you like it.

This initiative continues the effort of Hardened-PHP’s Month of PHP Bugs in 2007 to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

You’ll find more information on the MoPS website and you can follow its twitter account to discover each vulnerability as soon as it’s reported.

Feel free to Flattr this post at flattr.com, if you like it.

• filter_var now validates correctly the hostnames that include ‘-’ (bug #51192)
• the GD bundled library has been patched to fix some TrueType issues (bug #51207, …)

In addition, PHP 5.3.2 now restarts softly, without any problem (thanks to Daniel Hahler).

Feel free to Flattr this post at flattr.com, if you like it.

The PHP development team is proud to announce the immediate release of PHP 5.3.2. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes.

Security Enhancements and Fixes in PHP 5.3.2:

• Improved LCG entropy. (Rasmus, Samy Kamkar)
• Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
• Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)

(…)

It is now available on Dotdeb (still on a separate repository) with the following changes :

• id3 and mailparse PECL extensions have been removed from the repository. If some of them were useful to you, please let me know. Don’t forget that there”s an easy way to package PECL extensions by yourself
• the memcache extension has been downgraded to v3.0.3 because of a bug in the session redundancy
• php5-fpm is now an alternative dependency og the php5 meta-package

As usual, please read the release announcement and the full Changelog before upgrading. If you’re migrating from PHP 5.2, you can also take a look at migration guide.

[Update] The packages have been updated to fix a MySQL connection issue. The geoip PECL extension is back.

Feel free to Flattr this post at flattr.com, if you like it.

The PHP development team would like to announce the immediate availability of PHP 5.2.13. This release focuses on improving the stability of the PHP 5.2.x branch with over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.13:

• Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
• Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
• Improved LCG entropy. (Rasmus, Samy Kamkar)

(…)

On the Dotdeb side

• geoip, id3 and mailparse PECL extensions have been removed from the repository. If some of them were useful to you, please let me know. Don’t forget that there”s an easy way to package PECL extensions by yourself
• the memcache extension has been downgraded to v3.0.3 because of a bug in the session redundancy.

As usual, please read the release announcement and the full Changelog before upgrading.

Feel free to Flattr this post at flattr.com, if you like it.

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
• Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
• Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

(Please read the full announcement for more details)

Dotdeb packages of PHP 5.2.12 are now (finally) available for Debian “Lenny” and “Etch”, amd64 and i386.

Upgrading your servers is strongly encouraged because of several security issue, especially a multipart/form-data DoS (CVE-2009-4017). Please set the max_file_uploads parameter carefully.

Feel free to Flattr this post at flattr.com, if you like it.

• the php5-fpm binary
• the /etc/init.d/php5-fpm script

All should work fine now.

Feel free to Flattr this post at flattr.com, if you like it.

A few days ago, the PHP Group released PHP 5.3.1 :

The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.3.1:

• Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
• Added missing sanity checks around exif processing.
• Fixed a safe_mode bypass in tempnam().
• Fixed a open_basedir bypass in posix_mkfifo().
• Fixed failing safe_mode_include_dir.

Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

The Dotdeb changes

On the Debian side, some changes were made :

• the packages are now patched with the official Suhosin patch.
• beside the apache2, apache2filter, CGI and CLI flavours, the FPM one has now its own dedicated package, named “php5-fpm”. It will allow you to have greater performances and a lot of more features on a CGI-style installation (FYI, an init script, a config file and a nginx config sample are provided).

How to install?

Because migrating from PHP 5.2. to PHP 5.3 can break some applications, here is the Dotdeb release policy :

• PHP 5.2 is still the default branch for Debian Lenny for some weeks/months. PHP 5.3 packages are kept on a separate repository.
• PHP 5.3 will be the default branch for the upcoming Debian Squeeze (mid-2010)

Then , to install PHP 5.3 on your Debian “Lenny” box, just add these two entries in your /etc/apt/sources.list :

deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all

Now launch your favorite commands (apt-get update && apt-get upgrade) to upgrade your box.

In case you enjoy this new release, feel free to donate or to take a look at my whishlist… Xmas is coming

Feel free to Flattr this post at flattr.com, if you like it.

• Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)
• Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
• Added missing sanity checks around exif processing. (Ilia)
• Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)

To avoid the same negative feedbacks as about PHP 5.2.10, a lot of debug and changes has been made :

• The embedded_timezone patch has been disabled. You now have to set date.timezone manually in your /etc/php5/*/php.ini files, depending on your machine.

• If you encounter problems with some applications and the CGI flavour, remember to set cgi.fix_pathinfo=1 in your php.ini (thanks Scott for reporting this)

As usual, read the full Changelog before upgrading.

Feel free to Flattr this post at flattr.com, if you like it.